The Secure Storage component ensures that sensitive data is managed securely on the device. The most important data to protect is the private key, which is generated during registration and accessed in subsequent FIDO operations. In this regard, secure storage includes the following:
- Android: Shared Preferences and Keystore
- iOS: Keychain and Secure Enclave
The private key used for FIDO UAF is completely managed by the hardware-backed Keystore on Android, and by the Secure Enclave on iOS. This storage option is possible only if the device is configured to use a lock screen.
Key material used for push notification encryption and signing. Other additional sensitive data used in the FIDO UAF context is stored securely in Shared Preferences on Android, and in the Keychain on iOS.
The application PIN, used by the Application PIN Authenticator, is also stored securely in the Shared Preferences and Keychain.
To provide additional protection of the private key, the device offers the option of binding the key with user authentication. In this configuration, the user must always authenticate if access to the private key is needed. To authenticate, the user must provide one of the system-defined credentials such as the ones listed for the device lock screen.
The SDK verifies and enforces the presence of secure storage.
- On iOS, this is enforced by requiring iOS 11, which only runs on iPhones with the Secure Enclave present.
- On Android, SDK initialization fails at runtime, if no secure storage is available.
Some devices miss the required secure storage. For details, see the Device Support section of the Access App documentation.